The Threat CodexOct 27
Could the XZ backdoor have been detected with better Git and Debian packaging practices?
#XZBackdoor
https://optimizedbyotto.com/post/xz-backdoor-debian-git-detection/
Could the XZ backdoor have been detected with better Git and Debian packaging practices?

The discovery of a backdoor in XZ Utils earlier this year shocked the open source community, raising critical questions about software supply chain security. This post explores whether better Debian packaging practices could have detected this threat, offering a guide to auditing packages and suggesting future improvements.\n

Optimized by Otto
Tarnkappe.infoSep 9, 2025
📬 Supply-Chain-Angriff: NPM-Pakete mit 2,6 Milliarden Downloads pro Woche infiziert
#Cyberangriffe #ITSicherheit #Malware #Softwareentwicklung #chalk #Cybersicherheit #debug #javascript #Kryptowährung #NPM #Phishing #Sicherheit #SupplyChainAngriff #XZBackdoor https://sc.tarnkappe.info/7a32db
Supply-Chain-Angriff: NPM-Pakete mit 2,6 Milliarden Downloads pro Woche infiziert

Angreifer haben durch einen Malware in NPM-Pakete eingeschleust, die wöchentlich über 2,6 Milliarden Mal heruntergeladen werden.

TARNKAPPE.INFO
AJ JordanAug 28, 2025

https://liblzma.so/ I made a thing. impulse control is for suckers

#xzutils #xzbackdoor

Show threadEthan BlackJul 23, 2025
@mike One one hand, governments and corporations shouldn't have to pay for using open-source software since it is explicitly provided Free....
On the other hand, it's not really fair when some poor maintainer finds themselves maintaining a project that a lot of people really depend on (the #XZbackdoor comes to mind).
jan Anja();Jan 17, 2025

Lasse Collin (the developer of xz-utils) has found out how to accept donations without breaking the Finnish money collection law:
https://github.com/tukaani-project/xz/issues/105#issuecomment-2599004098

He has created an account on #LiberaPay with a restriction to not accept donations from Finns or people living in Finland:
https://liberapay.com/Larhzu/

#OpenSource #XZBackdoor #XZUtils #XZ

Enable sponsorship on your repo · Issue #105 · tukaani-project/xz

With the recent attention, I'm sure plenty of people will be willing to donate a few dollars to help support you. Please enable the "Sponsor" feature on your repo : https://docs.github.com/en/spons...

GitHub
ISOC LIVEJan 7, 2025
VIDEO: BSidesNYC 2024 - XZ Backdoor: Navigating the Complexities of Supply Chain Attacks Detected by Accident
Yoad Fekete - Myrror Security https://www.youtube.com/watch?v=N4Mxu2hJcwA&list=PLlg8We3ePxcMDrUFNWs7hyx3uJwnhK-_a #BSidesNYC #BsidesNYC2024 #bsidesnyc0x04 #cybersecurity #InfoSec #supplychain #XZbackdoor
BSidesNYC 2024 - XZ Backdoor Navigating the Complexities of Supply Chain Attacks Detected...

YouTube
Jacob ¶. FordDec 7, 2024
Poor tukaani #xzbackdoor https://tukaani.org/xz-backdoor/
XZ Utils backdoor

Michael PiotrowskiOct 17, 2024

I thought the case of the #xzbackdoor would be a really good way to make students aware of the many different dimensions of computing, and the “The Philosophy of the Open Source Pledge” https://vladh.net/the-philosophy-of-the-open-source-pledge/, which I assigned as reading, highlights many of the issues in a concise fashion.

Most students: 😴

The Philosophy of the Open Source Pledge

Today, we launched the Open Source Pledge. Virtually all companies use Open Source software, making the Open Source ecosystem crucial to virtually all of the technology we use. That Open Source software is created and supported by maintainers. But the companies that use Open Source software almost never pay the maintainers anything. This means that the maintainers end up doing a huge amount of work for free, often as a second shift after their dayjob so that they can pay the bills, leaving them burned out and overworked, and leaving the projects they maintain at risk of serious security issues.

Vlad's Website
DelibJun 24, 2024

I wish this NPR podcast wasn't slanted against 'open source software' (not even mentioning FOSS). It is a very well composed and informative story about the XZ Attack, but it expressly states that open source methods were the vulnerability, implying this production method 'that built the internet' is now ending its beneficial phase. https://www.npr.org/2024/05/17/1197959102/open-source-xz-hack

Reminds me of the news splatter claiming the economic model is all bad. #XZBackdoor #FOSS

The Threat CodexJun 24, 2024
XZ backdoor: Hook analysis
#XZBackdoor
https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/
XZ backdoor: Hook analysis

In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.

Kaspersky